Are you ready?

so when I put this talk together I put it together on the backside of another talk that I had done learning for my friends series is the garage door opener and it's how hard it is to tell a garage door opener company that I had done that so this is me if you want to reach out to Jason I spent an awful lot of time in Africa bringing technology to people that have zero and supporting technology in place that's really hard to do I've hung out with a bunch of the crew that lived in Uganda for a long time as you can see hackers with tractors is a hashtag I'm trying to get pumped up I

think there's two of us now I know Frank one of them you know I turned my John Deere into a Def Con Deere this this year I put all my Def Con stickers on it good stuff um I'm hacking like he's 1998 I threw my first malicious tick mark at a web site in 98 my wife came home and said this guy named Bob O'Neill broke my application I was like what and she's like yeah because of the apostrophe and I was like all right time to throw some apostrophes around and you know the rest is history I started reading a lot of books about it and doing as much as I could following much the path a guy

before me was talking about were you you know learn about stuff and then you start educating about stuff and off you go I'm a charity guy so this year my trip to Africa I built a methane bio digester out of industrial waste but I also do stuff like hey wouldn't be cool if you don't have to buy firewood anymore some fair warning here I showed this talk to my boss and he said need more star wars and so I tried to put some in maybe you'll be able to see it I don't know if you're looking to hire raise your hand is anybody looking to hire no nobody's got open job wrecks I'm sure there's plenty of people that

are looking for jobs but you might be sitting next to your colleague and if you say that you are pen testing you read a consultant's you security analyst jobs there's jobs guys don't you know if you're looking for a job go talk to these guys it's pretty easy to just chat with them about stuff if you want to learn about what it is that I do when I'm not staying in front of people rambling I'm pretty easily to easily hire I'll happily sit down and tell you about my time in the Navy or whatever if you want to learn about the research flaw talk if you want to see what I had done all the bits and pieces to hack

into my garage door opener that's on last cons website if you go to the last on YouTube channel I'm the guy that's the picture that is the channel picture I don't know why they did that they could have picked a better guy for that for sure but you know there it is everybody talks about Equifax and at this point I kind of consider them protected class corporate citizens we shouldn't make fun of them anymore they are they own them if you want to come talk to me after the talk I want to hear from you who's first con-5 quite a few people in a room I'm seeing more and more people first con right I'm not

standing in front of the same faces anymore it's great alright so let's dig into this thing is your company ready tweet this email right you have a security flaw and I would like to tell you about it well I did this right I called a company and said I found a security flaw now in my case it was a security flaw that I was extremely concerned with I could open my garage door right how many of you live in a house where your primary entrance is your garage door several right that man door between your garage in your house do you ever lock that yeah on accident it now and then right where's the key

for that thing I really wanted to understand did I have some kind of IOT thing that was giving me problems right because I plugged all this stuff in in my house and just like you guys you know I wanted my lightbulbs to be a different color I wanted to know if my garage was open or closed at night I wanted to set up a system that would tell me hey if it's after midnight and my garage doors open go close your garage door right um gives me a little button to do it so I thought it'd be fun right so I sat down with a little bit of curiosity and black hoodie because that's how you do that

and I started hacking away right I started looking around what are the things that are out there that turns out turning on your lightbulbs and getting the Bluetooth to give you your Wi-Fi password is interesting right that's very interesting it's extremely applicable however if you're in my house pulling my Wi-Fi password off my Bluetooth light bulb you're in my house already right I wanted to know how can I get into the house right I really wanted to understand that so I looked around and I said what do I got connected to the Cypress right what did we plug in and forgot that we plugged in and then I want to understand could I cause some

kind of harm or loss if there was something there and so I sat down in my driveway and I pulled out my phone and I hooked up something called burn sweet in my laptop and I pointed my phone at it and I started watching the traffic that everything was generating I found out that my camera that was sitting on my mantel in my house it's constantly beaconing out the and that my phone has told the service I'm act right that's something I'm not really that excited about I also found out that that service that I'm running off that camera in my house is reading my email because it's giving me very specific suggested ads based on my

insurance company that it knows about and I know that because I see it in the communication screen right and so I wanted to understand how many of these things so I opened my garage door up I captured it in Burke I sent the replay and the garage closed right I fiddled with the position setting the garage closed I opened it I closed it and then I started doing standard app SEC pentesting stuff are they tearing sessions down can I move the session well I want to understand could I open someone else's garage remotely that's really the thing that I wanted to do attack the API layer open someone else's garage anybody tell me what the research problem is was sitting

in my driveway opening someone else's garage I can't figure out if it worked right I have no idea if it's functioning correctly but the good news is there's Twitter so I tweeted out has anybody have you know one of these kinds of garage door openers a buddy - like I have exactly the same one like all right here's I install burgers they put certain on your phone right here's how you open your garage now give me these data elements and I started manipulating it I couldn't open his garage with my session I was happy about that but the replay attack was enough for me to call Chamberlain and say hey guys I think I found something so what if they found

something if you are looking at your organization and thinking oh no a researcher may call me the answer is they will it doesn't matter what you put in your end-user License Agreement that says don't have our stuff or security test it it turns out that safety always Trump's any crap you put in there right so if my goal is to make people more safe I can hack you all I want right if that's really my goal and what I'm going to but there's some caveats to that right I have to report it to you responsible disclosure that kind of stuff but it's okay yeah I'll also have to understand that they're gonna call right it's gonna

happen so who are they gonna call well in my case I couldn't figure it out went to their website there's no abuse app there's no security anything there's no nothing right there api's didn't have anything in the headers to say hey if you're banging on this let's know nothing right who do you call this situation anybody guess they hundred-number on the side of the box that came in right that's all I got so I called them and I got a customer service agent right and they were very willing to help with resetting the pin on the little box on the outside of house would have to do that all the time take a battery out yeah no I don't

need the box I can open the door though right I need to talk someone else and so I looked around and looked around and looked around and I couldn't figure it out and it turns out in our industry we have no standard way for reporting there's no standard way for the environment to set itself up so that I'll know who to report to and there's no standard way for a researcher to go looking for reporting it's kind of a bummer if they get through what's gonna happen right there's probably no training there's probably no one inside your organization that knows what to do if somebody goes you got this bug it's going to be difficult so what we want to

try to do is smooth this out a little bit and the way you usually smooth things out like this is you have some kind of plan right so this is the bomb threat checklist that the FBI produces right you know on this checklist it's like what's the couple you know where's the bomb when's it going to explode they go through all this they give you lots of room to write you know where is it ones are gonna explode the down here the exact wording of the threat right over here it's you're supposed to fill this out and say who you called right but there's really nothing else than Who am I supposed to call if somebody call

a bomb threat get everybody out of the building right that's not stated on there anywhere the FBI wants to go find the person that built the bomb they built this checklist right they they're not here to try to help get you out of the building they're here to figure out who built the bomb because they want to go arrest them you've got to have a good set of policies and procedures a good understanding where they're gonna go so a good place to start is by simply putting it on your website right when you've load up any website today there's a little icon that appears in the tab well that happens because we've all agreed that if you put this one thing in

this one place the browser will put it there right well why can't we have the same thing so security dot text is an idea right why can't I just go to your domain slash security dot text and I'll see who I can send an email to maybe your PGP key there so that I can you know encrypt the data that I'm sending there's one possibility there's already organizations that communicate with developers with anybody that has a little bit of understanding today this is the Etsy store's website is code your craft Etsy calm slash careers right this is a header you don't see this anywhere on the page you have to be looking for this right but there it is so since I'm

here already I'm gonna be looking at your website in verb sweet that's happening right that's how I browse the web so it's happening so while I'm there you might as well give me a way to get ahold of you it'd be a really great idea right I mean we've figured out a long time ago that these crawlers that are going around an Internet we want to make sure they don't go to certain parts of our web site because maybe they're sensitive data there that do you want index now people search later so in this case we've got you know I picked on United a lot if anybody follows me on Twitter I'm sorry I'm always picking on United on

there but this is United's disallow page and it's only some of it for robots.txt what does this tell an attacker to do this in the first place right there's a few guys in the room that are ex-navy every time we pull into a new port they published a list of bars you weren't allowed to go to always where you ended up passed out at but if we're gonna have robots.txt why don't we have humans dot txt right like direct me around here's where maybe if you find an error message or something you could report it back to me I mean there's got to be some way that we can communicate with each other pick one I don't care

what you want right just make it a little easier for the researcher to talk contact you now they're gonna go side-channel like I did I had to you maybe you call a customer service line training that swing by hey if somebody calls and says they're having a security issue you know maybe we should do things with that perhaps a little rewards based drilling right just simply call in one day and if they ask you this question get them pizza or whatever I don't know Fred you know I'm what I'm trying to say is your customer service team can't be the place that I get trapped for four days right and if I'm constantly saying no no I don't need my pin reset you have

a bug right and I said it I don't know how many ways you really have to be able to pick this up because if I get mad I'm not going away I'm going deeper right and that's the problem with trying to have a research research would be placated by science doesn't work so finally I get past customer service and I land on a product managers desk yay great we set up a phone call I dial into it and I explain everything that I found I explained you know basically I can open a garage door if I can sit near your house and sniff your Wi-Fi I'm for sure gonna get your garage door but there's a little-known

fact about how all these apps work they constantly log in so little while ago when Florida had the hurricane come ripping through and all of the telecom companies turned on free Wi-Fi and made it wide open access man had a loved have been sitting down there to watch everyone's passwords for their banks get flying through their watch all the push notifications crossed the network right because there was then no protection right if I get in I control the access to the house not just the garage now Brandon the garage is pretty interesting my garage got old Volkswagen in it a chainsaw and ax right through the door but it doesn't matter unlock the door anyway right because I use the outside

as my protection um so I explaining these guys hey you know I'm just looking to see if you've done something that makes my house less secure and they told me security is our number one priority mr. Kenan and I said that's great how many security guys are on the call zero they don't have a security team and they've never tested their application right they make a machine that lifts the door because you're too lazy got your car right but then they put it on the internet and that stepped meant something that they weren't anticipated so eventually they're going to get to you or maybe not maybe they're maybe you're frustrated and turn away right but if if they get through to you you're

gonna be basically at that point in the middle of an incident response right you need to treat it treat this like it's an incident the security team product management you know you're gonna want to go talk to the researcher and don't approach them like I have all the legal right in the world to sue you what are you calling me for right approach them with a little bit of humbleness and a little bit of thing you for telling us right you have to be a little bit careful here because if yours first step is to call the lawyers right I mean all of us in the room take a bite out of the chair a little bit

when somebody says lawyer right if I'm on the other end of this I know I'm open to get sued don't don't do that right don't call the lawyers um maybe you could have an adult discussion with them so as an example of this there's a guy named Yan Oberg who's finished her Swedish that can never remember which and he goes around looking for cross-site scripting on websites [Music] cross-site scripting and if he finds it he's very good about reporting it to you if he can figure that out right and if you fix it he's very good about tweeting that you have fixed it in 30 days though he tweets you have and he doesn't care

right you get 30 days from the first time that he notifies you until he tweets it so I worked for a security company that we decided we're going to move our blog on to a different platform and when we did that the developer that put it together forgot to put request stop validate in on all the search parameters and we ended up with cross-site scripting Yong pulled us and I said what do you want man you know like what's the thing that you want you want us to pay you for this you want a t-shirt what is it and he's like I don't want cross-site scripting that's what I want he's very altruistic in he just doesn't like this menace

right and he wants to get rid of it and it could very well be that the researcher that's following you just wants it fixed okay and so a promise of I'm gonna fix it might be the thing that'll that'll get you there so calling the lawyers is probably going to be their worst fear unless you're somebody like yon that lives in a country where that what he's doing isn't illegal right he's allowed to do this thing so he's gonna do it anyway um but it really depends right when somebody calls you we often go through this phase or phase change if you will this is called the direct curve this is for people that are

experiencing change right so if you think about my company that has the machine that lifts the door when I first called them they said well that's not a problem hey it looks really hard to do they had a bunch of this kind of stuff and they basically told me they didn't care right and I had to take them through the next couple of steps just to get them to start looking at this thing so when I first called them they were firmly planted in denial right this is the headwaters of the Nile where we do a lot of our work in Africa they were firmly planted here that looks really hard to do what is this burp

thing right the internet that's still around I mean they really didn't have a good grasp of this and so it was up to me to explain to them why it was a bad thing right big clue here if a researcher calls you and says you have a problem you have it that's really hard to do is what I get right how many reports and the answer on the other side is who would do that right yeah hackers that's who right the people that want in denial doesn't affect change hey this doesn't move us forward we have to try to get to the point we're actually trying to change right which means we've got to move through this dreck curve

kind of as fast as we can but if you call our researchers research impossible or difficult or whatever let me let you in on something they know that right they spent months doing this and so they know how hard is to do they're trying to simplify it for you and if it's your lawyers that are on the phone they won't understand it so dig into the researchers motivation maybe they're looking for a job maybe you need to hire alright this might be a good thing maybe it is it right you don't want to accept this as extortion for sure oftentimes it's just bragging rights right I have packed a thing yay right in my case I wanted to go get a

good talk at DEFCON right go hack stuff see and get on the stage whatever right I wanted to figure out if nobody's gonna break into my house do they want a t-shirt do they want a bounty do they want your legal team to write them a note I you know call them and ask them right have a good conversation with them but if at any point the researcher goes adversarial and starts to try to extort you call police immediately do not negotiate with that right they're not there for your benefit they're trying to do something else go after right and I think that that's something that not enough organizations really understand is if they catch it an attacker they

just sort of brush them away and it's like no we need to put some penalties behind this so we don't see so much of that so I had a phone call of these guys that meeting went well me and the lawyers and the product manager the team will now go away and validate what I have told them I can do is actually something that someone can do and this is one of those points where it's like I've spent a lot of time on this to me it sounds like you're trying to get me to just go away and I gotta warn you man if you start to do this to a researcher keep this in

mind it's a trap right you're going to be putting a bad face to the researcher and the researcher is going to be angry baited by it and you really don't want something like that silence is not gold in these situations ignoring that means you don't care as much as they do about the problem you have right I mean that really is what it is so during the Chamberlin disclosure I called them and said you know you guys have look at this we've reached a point where I'm from my slides I'm going to tell everyone about who you are and what this problem is and they said hey at CES week we're super busy so you're going

and selling more of this thing that's broken excellent you know do you tell them it's broken um and so I spent a lot of time trying to figure out why aren't they answering my emails right why aren't they listening as I told them that my house now has a vulnerability because of them give us more time please before you disclose sure the standard responsible disclosure in our industry is 30 days if I call you and tell you there's a flaw you have 30 days right but I know for a fact that they weren't ready for me to call right so I was trying to be nice to them but in reality they were just trying to get me to you

know move on to the silence phase where we don't talk to each other anymore but something that you should keep in mind keep your enemies close if somebody has spent a long time picking at this wound that you have maybe they got a little deeper and figured out a better way to execute right they've dug down into your systems and understand that you have no security practices right it could very well be that you're gonna make a Mac and that's probably not the best motivation that a researcher is gonna have you know I just I was just in San Francisco with a client and it was during Dreamforce does everybody know it dream forces anybody

ever heard of salesforce.com salesforce.com throws this shindig every year that makes blackhat look like a tiny little party shoved in a closet right the entire city is affected by the hotel that I tend to stay at cost $120 a night with nine hundred and four dollars a night I ended up having my plans changed I needed to check out in my hotel early I walked down the front now I travel a ton I'm an elite level traveler this is normal right they normally are very nice about this and they're like tell you what we'll do we'll only charge a hat for tonight and I said if you turned me more than zero it will be my room for tonight you will

not rent it out right I'll set a camera in there happily wait for you to open the door right but now the researchers motivation has changed so I look at the back of my door you ever stay in a hotel that has a little placard that says the maximum rate that they can charge you for the room on it guess what they were charging me more than that amount so I went down there and said oh and by the way since you want to treat me like this you can't charge me $450 a night for this room it's 399 99 some max rate it's on the back of the door right and they were like oh this is my idea of don't make

the researcher mad because they're gonna find new motivations right they're gonna start to go look at this thing in a different way I also tweeted to act reinforce everyone look at the back of your room door and check out the next day was probably fun for all these hotels right all up and down the peninsula in San Francisco you need to make sure that you're treating this like an ongoing incident there should be a product for a project manager associated with it there should be someone on the security team that's tasked with following up right this is an incident that's going on communication is extremely important turning it off just changes the way things are right resistance is futile

eventually they say maybe you're right maybe we do have this problem yeah maybe so they said well I see you spent some time on this they still don't really believe it's something that they need to go fix any idea why they have such reticence to go fix it they don't know how they literally can't and so what it was was they needed a code a new change ship a new mobile app right like it was a bunch of things and they had bought all this right so the researcher had found something that they had purchased and they didn't have good contracts for security inside of it that meant they had to go purchase another one but at

least we started moving through the curve right so now we're on resistance to change well there's some kind of change but I don't really want to act on it now when I was first employed in the information technology realm I work for a place called uu net I I controlled most of the domain naming system on the internet and a lot of the traffic and one of the ladies that I worked with one day they said we're gonna move you from this office to that office and she said no you're not right and locked herself in her office right and it took a long time to get her up to commitments where she can actually move down the up next

office but it was crazy to watch and people are like that right that's how people are um the researcher is often here to help and I was here to help I called you because I want to help please know that right if you can't figure it out ask the researcher to show you again ask the researcher to instrument your environment ask the researcher to help you set it up because that's going to be really important right their biggest snag was burp in order to split their search you got to import the bird cert to trust it right and that they had difficulty with that I got on the phone them you know export it okay

email it to yourself or and click it they're going but you know if you don't know how to do it it takes a second if you believe that this thing isn't important right ask how it can impact what what's the real risk here well I could sit outside somebody's house and open their garage door probably an uncontrolled way in a way that you don't expect it but that researcher you need to at least offer some sort of compensation if it's not just you know we'll put you on our kudos page or whatever the next phase is called exploration right and then exploration the key phrases that you're gonna hear things like well we've given this some

thought what would you do right so I make a bunch of suggestions where I give them a path to remediation in some way I've put a lot of thought into this right I've spent time with it um where can we go for help right who could help us with this problem there's a really good questions and they they make me believe that yeah we're now moving through the curve and we are accepting the need for change right they're exploring the situation and understanding that this is a real problem and we need to go solve it but they're not quite there moving forward in their case met shifting into forward right they weren't doing anything to

begin with the researcher is probably going to offer solutions I offered them a bunch of solutions ten the sir go get a pen test you know figure out what's wrong with the code and they started responding with different questions right but you have to remember solutions have impact some kind of impact so take for instance crack right so anybody know crack is what if you have something running wpa2 today it's probably vulnerable to crack how do you fix it you got a patch it okay we tell enterprises to do this all the time right go had your servers everybody raise your hand so how do we fix it how do we know it's fixed how do you know

that the firmware is ready how do you know the vendor fixed it right this is not a simple problem by the way this is how enterprises are dealing with things think about the car hacking stuff the impact that it had how many of you guys have heard about Charlie Miller and Chris valasek hacking the cars okay so over a Wi-Fi sorry over a mobile phone connection they were able to connect directly to a vehicle and SSH into it change the firmware on the vehicle to their own modified firmware because Fiat doesn't believe in code science right and it was air gapped well software air gapped they went after that thing looking for a flaw they found one what

happened though look at the impact of their research sprint had to changed the way that network worked right they had to redesign a network that was already in place because of the vulnerability right Chrysler Fiat whatever their name is had to go send a recall notification out million-and-a-half cars had to go get their firmware upgraded and some people they didn't go so what did they do was my best this is the best part of this they emailed USB keys around and said plug this into your car which Charlie then immediately copied with his own firmware made copies of the notification and started man in the mouth right the impact is huge maybe right think about ATMs I think about ATMs just

for a minute I'm not the first guy that has disclosed the problem and I'll know how probably not the last right but a good example of this is Barnaby Jack Barnaby flops found a flaw in an ATM right I can dump this thing and shoot the money right now if you're an ATM company that's not good okay but if you're an ATM company how many endpoints do you have millions they're plugged in a modem lines and gas stations they're plugged into banks they're plugged into you know who knows what kind of kiosks anybody been to Vegas there's ATMs those bill changer weird machines right so there's a lot of this impact that's out there Barnaby calls the ATM company says ok

we'll fix that right so they start working on a fix or they start waiting to fix it we're not sure of the timeline that they had to fix it but he was gonna go to Def Con and talk about this thing right now they got the lawyers involved right they issue a cease and desist letter it's too hard to go fix all these things it is so what ended up happening was it delay to you right Barnaby waited until the next year they had to go fix all this stuff and it was Diebold ATMs of NCR ATMs and you know cashing an ATM out right is huge news everyone looked at this thing and they had to have it

fixed anywhere that they could turns out there's additional flaws in these systems but this was just you know an example of it's hard to fix right well my company it was simple to fix they just need to put a fix in their mobile app and send it out right he published a new app not that hard all right so 30 days 60 days 120 days whatever time the research giving you eventually times up right eventually they're gonna start talking about it they're going to need to talk about it with their peer group or they're gonna talk about it in a situation like this right the fun thing about that is you lose control of that

right you're sort of in control when you're in the middle of this direct curve in the first three phases but when time is up you lose control of the information and it's important to have that sink in you're going to lose control of this they're going to tweet about it they're gonna say stuff about it think about Equifax right they lost control of the fact that 143 million records of the US public have been stolen from a database that none of us opted into that information made their CEO go on stage and say yeah we probably should dump it got that right he sat in front of Congress and said scanner missed it right losing control the information

means you have to react and if you're bad at that you're gonna sound like those guys did but he got 85 million dollars to quit so that'll teach him right keywords for I'm in the exploring phase we have additional questions right problematic architecture stuff they had these api's that when you read the API calls you were like okay garage door open and garage door closed like you know none of this stuff is obvious it's so easy to pick apart I can get you know all kinds of data off of this we need to do something else right do you recommend someone to look at this I told them to call Samsung right because the Samsung

smartthings is probably the most sophisticated API I've ever seen and it's well done right whoever did that architecture and put all that together by the way it's Samsung internally kudos to them and you should call that and they should share with you how they this because it's quite good eventually they said you know are you willing to look at something else or if we do fix it are you willing to validate that it has been fixed and I agreed to that right I have yet to speak to them again I know it's been fixed because I test it all the time but they have never called me back the last phase of this is commitment yeah we're gonna fix it right

we are committed to doing this change we understand that that it's you know awesome moving forward we got to focus on the future and so once you hit that commitment phase you are going to you know fix up whatever it is that you have problems with but be ready for this right because committing means we got to fix all the ATM's or we got to fix all the cars or maybe we have a solution in place that we should ask this researcher is this a good way to fix this right if data called if Chrysler had called Charlie and said hey we're gonna mail USB keys around with this letter Charlie was said don't do that right he

would have said let me just fix it over the air I know how to do that right I mean he literally could have fixed everybody's cars through SSH right you drive past any cell tower and it would have got fixed so Chamberlain went back and they tightened up security I put up there sort of they made it so you couldn't split their cert open easily anymore and I'm kind of okay with that and kind of not right I haven't dug into this any further partially because they haven't called me and said okay it's fixed but partially because if I keep picking on them it's just gonna sound weird right you got to find the next

company to pull the next gag on but they did put in one thing that I was really happy about if you have if you prevent us present a session token' and an invalid cert they invalidate the session so if you're monkeying around too much they keep logging you out which does in fact at time and does in fact keep the researchers away a little bit right step one or half however you want to say that but it does make it so that I can't so easily go bang on this thing now I haven't opened it up with like mobile edit or anything like that to look are they storing their API keys in the clear

or anything but I have a feeling that all that's going on too so for you once you get to this commit phase it's a good idea look back and post-mortem this thing how do we do right when you start working on a problem you're gonna have a better thing and that's good but look back and say how'd you get a hold of us right how did you hear about the conference did we do a good job with that because if you didn't it's a good idea to start making it so that you have security not text or whatever that thing is right at any point were you dismissive of the researchers research it's a good question to ask yourself

right being dismissive of somebody's research is crazy right when Charlie before he was hacking cars he was hacking NFC and found all these flaws with NFC and Android right they never they never really looked at it as a flaw they're like well I don't see it kind of touches a kernel and touches the ground so a bit yeah can't can't get away from me you have to think don't be dismissive right did you have any level of appreciation the alternate the alternative here and I make this joke all the time is that your intrusion detection is gonna be brought to you by Brian Krebs right he's going to go to the media and say I there's this thing

so what you want to try to do is make sure that you are appreciative of the disclosure of them doing the process of disclosure right because they don't have to they can just totally put it on Twitter and you know send it out to the world did this disclosure help you find other problems right as you went to fix it did you find other flaws or did you think of things different way and did you apply any different techniques and in the last case here say thank you to the researcher right I have never heard back from Chamberlain though they have fixed the app in their way they have never ever called me and said thank you for

telling us and being you know slow with the way thank you and talked about this and it it doesn't hurt me personally but it hurts me from the perspective of help each other hey Jack this morning as Keynote said be kind to each other and help each other that's what I'm trying to do right I do this with my personal life I do this with my professional life at least be appreciative or be do a kindness to someone else in summary you need to look at your attack points understand your perimeter and understand that you may be injecting a change to that Chamberlain's case they didn't have anything connected to the internet and then suddenly they had

everything connected to the Internet right all of a sudden you could go to Home Depot and put your garage door opener online make sure you're approachable I need to be able to find you right if I figure out that I can you know dump an ATM by taking a gift card and turn in some bit somewhere and I tell you about it be appreciative of that and see if you can figure out how to fix it perhaps get on their side bugcrowd has bug bounty programs and I know everybody gets a little weary about this but they have bug bounty programs where you don't have to pay money right they do literally have a 13 year old

Pakistani kid that's amazing with computers that will sit in Pakistan and bang on your website for 50 bucks right please come up with the 50 bucks right this kid will be super happy when you find something give him the money right this this is research that you can't do on your own and it's research that you probably can't find the skills for and so that's the kind of stuff that we have to you know figure out so this is sort of the end of my talk but I want you to understand that I want to help people I like being kind and helping others it helps me right if you've ever helped somebody and felt

good about that that feeling is addictive get addicted to it so if you're shy you don't want to talk to me right now you want to talk to me later I'm happy to do that right if you want to go sit down and have beers and bang on and some mobile app I'd love to do that if you want to join me on my new quest I was in an uber riding to a speaker's dinner in Texas the music that was on listened to it for a little while it's not really my jam but I said yeah this is nice I like it tell me about yourself he's an independent Spotify artist interesting so he tells me that

if you climb the ranks then Spotify you start to get record deals more interesting right now all of a sudden I'm interested why Spotify has api's they communicate to other applications right wouldn't it be neat if I could make my uber driver famous right if anybody wants to come with me on this trip we're gonna do it I'm not standing here because I myself am anything many many many people got me here people that educated me people that supported me people that I've worked with work with Frank for a long time he carried the water while I was doing research this is the kind of stuff that you have to have a good understanding of being

kind to everyone and making sure that we all have good understanding that's my goal and I hope someday that it's yours much love is a b-side staff this isn't easy to do granted it's a couple of rooms and we try to get 300 people in it go ahead throw yourself a party for 300 people and tell me how much of a headache it is right so make sure that you understand that they're here keep in mind everybody that has stood in front of you today 7 months ago said I want to try to go talk there right and then we had to have a talk ready and all that kind of stuff so keep all the guys that

are up here speaking and gals in your in your mind there's a couple vendors outside they kick in enough money to make sure you can rent the place and all that visit them talk to them even if you don't like their products understand what part of the market they're going after understand what you're doing to address that part of the market in your organization if it's phishing like the fish Labs guys you know are you doing a campaign if not should you right I've seen plenty of people clicking the link right you send them there's a problem and your time off requests they all click that link I'm telling you right now so thanks for attending you guys

spent some time with me today that's really important to me and I really appreciate it if you want to get it touched me I'm on LinkedIn or Twitter that I'm probably bashing United

[Applause]